F5 Friday: API Security with F5 and 3scale

Lori MacVittie

Published February 22, 2019

Back when Service Oriented Architectures (SOA) were all the rage and SOAP-based web services were the primary means of integration, there arose a need for SOA Gateways in the market. These solutions offered management, versioning, HTTP routing, and more. What they didn't offer - at least not comprehensively - was security. For that, we saw the rise of SOA Security Gateways.

Today, APIs are all the rage and RESTful, JSON-based services provide the backbone for mobile and cloud-native apps to exchange data. APIs need the same set of services as SOA gateways - including security. But like their predecessors, most API Gateways are focused on business and application-specific capabilities.

API Gateways like 3scale evaluate, transform, and secure messages across an organization. They provide support for versioning, rate limiting, and business-focused functions like integration with payment gateways. Dashboards offer developers a view of performance and usage.

But API Gateways don't necessarily provide comprehensive security coverage. DoS protection, ferreting out malicious content, and blocking bots is the purview of security services like an advanced WAF. By pairing the two, you raise the bar on security and increase confidence in the integrity of your APIs.

This is particularly important considering that 60% of organizations offer a public API (State of API Integration 2018, Cloud Elements) available to any developer. Any developer might be a good thing for opening up opportunity, but it also opens the business to attack by those harboring malicious intent.

F5 has teamed up with 3scale to enable customers to enjoy a comprehensively secure application environment. By layering an F5 Advanced WAF in front of a 3scale API gateway, you can benefit from additional security measures that include the use of IP intelligence to identify threats faster and more accurately, the ability to offer a secure API façade internally or externally, and protection against a variety of application layer attacks.

That's increasingly important as APIs take center stage as the primary means of integration both internally and externally. As noted in a Forbes article in 2018: